Threat Research

From Zero To 50k Infections – PseudoManuscrypt Sinkholing – Part 1 | Bitsight

Securonix

Researchers built a sinkhole for PseudoManuscrypt and mapped its infections by analyzing a custom UDP/TCP C2 protocol layered over KCP, including how L1/L2 messages are structured and parsed. The work reveals extensive domain-based C2 activity and a rapid botnet with tens of thousands of infected hosts, plus indicators of a versioned C2 and a DGA fallback. #PseudoManuscrypt #sinkhole #toa.mygametoa #tob.mygametob #DGA

Keypoints

  • The PseudoManuscrypt family communicates using KCP over UDP with TCP as a fallback, and uses a custom messaging protocol on top of UDP/TCP.
  • The first C2 exchange reveals detailed machine information (campaign, client_id, OS details, hostname, memory, etc.) and maps to infections via domain connections.
  • The protocol is split into two layers: L2 (metadata) and L1 (actual message), with a 0x43 header and multiple compression/encryption options.
  • Compression_type options include: 0x3F = zlib with L1 XORed by 0x88, and others; L2_size and L1_size define the data blocks.
  • First L1 message uses message_type 0x99 and yields fields such as client_id (MD5 of firmware-related substructure) and client_release_date/version; several padding fields are always null.
  • Server responses can be a 3600-second sleep (0x00) or a binary update (0x01) when the client is not on the most recent version, facilitating core updates.
  • Sinkhole deployment reduced infections after an initial surge, illustrating botnet dynamics and the impact of C2 changes like new C2 or DGA.

MITRE Techniques

  • [T1071] Application Layer Protocol – The malware uses a custom protocol over UDP (port 53) and TCP (port 443) for C2 communications. ‘the communication protocol uses UDP port 53 and TCP port 443, they implement their own messaging protocol.’
  • [T1027] Obfuscated/Compressed Files and Information – The L2/L1 structure employs compression and an XOR step; ‘compression_type’ values include 0x3F — zlib compression, then L1 xored with 0x88.
  • [T1082] System Information Discovery – The first message sends extensive machine data (campaign, client_id, major_winver, hostname, mem_size_mb, etc.). ‘we believe that the L1 format for the initial message includes … hostname … mem_size_mb’
  • [T1112] Modify Registry – The C2 can issue commands to modify registry keys as part of received instructions. ‘commands to … modifying registry keys’ (in context of server responses).
  • [T1070.001] Clear Windows Event Logs – The C2 can instruct actions like clearing event logs. ‘running a binary, clearing event logs, modifying registry keys’
  • [T1105] Ingress Tool Transfer – The C2 may push a binary update to infected hosts, downloading the most recent core. ‘binary update’ command, and sends the most recent version of PseudoManuscrypt’s core.

Indicators of Compromise

  • [Domain] toa.mygametoa[.]com, tob.mygametob[.]com, b.dxyzgame[.]com, 56.jpgamehome[.]com, gp.gamebuy768[.]com, v.xyzgamev[.]com, c.xyzgamec[.]com, xv.yxzgamen[.]com, g.agametog[.]com – C2 domains used by the PseudoManuscrypt botnet
  • [File hash] dd19804b5823cf2cab3afe4a386b427d9016e2673e82e0f030e4cff74ef73ce1, ecdfa028928da8df647ece7e7037bc4d492b82ff1870cc05cf982449f2c41786 – example SHA-256 hashes for binary components (sqlite.dll and sqlite.dat)
  • [Filename] sqlite.dll, sqlite.dat – mentioned infected components in the sinkhole analysis

Read more: https://www.bitsight.com/blog/zero-50k-infections-pseudomanuscrypt-sinkholing-part-1

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint